Another post from
“We have a Windows2003 box which is currently issuing certificates with an
Authority Key Identifier extension with a KeyID only (i.e. KeyID=ed 2a 47 a4
e9 09 5a ec 9e 51 1a 81 04 58 78 87 61 3f 94 fc).
How do we add the IsserName and IssuerSerial number to the AKI field?
Note: the certutil "-setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL"
"certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME" fail to add
these fields to the issued certificates. “
For a Windows 2003 CA you also need to set the following:
certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERNAME
certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERSERIAL
The first one (certutil -setreg ca\CRLEditFlags) will enable the CA to generate the extension with these fields populated.
The second one (certutil "-setreg policy\EditFlags) will tell the policy module to leave the fields in the extension
My posts seem to vary in text size.... one day Ill figure this out.
My URL links dont show up as links when viewed from the main blogs.msdn.com page - I noticed some folks do show up right.. one day Ill figure this out too.
It would be really cool if I could search within blogs.msdn.com -- say I only wanted hits from within these blogs.